Data at rest means it is stored somewhere such as a storage area network (SAN) or network-attached storage (NAS) drive, or in cloud storage. All sensitive data needs to be protected by applying symmetric or asymmetric encryption, explained in the previous section, with proper key management.

Data in transit means data in motion and transferred over the network. You may encrypt data at rest from source and destination, but your data transfer pipeline needs to be secure when transferring data. When transferring data over an unencrypted protocol such as HTTP, it can get leaked by an attack such as an eavesdropping or man-in-the-middle (MITM) attack.

In an eavesdropping attack, the attacker captures a small packet from a network and uses it to search for any other type of information. A MITM attack is a tampering-based attack, where the attacker secretly alters the communication to start communication on behalf of the receiver. These kinds of attacks can be prevented by transferring data over SSL, using a strong protocol such as Transport Security Layer (TSL).

You will observe that most websites now use HTTPS protocol for communication, which encrypts data using SSL. By default, HTTP traffic is unprotected. SSL/TLS protection for HTTP traffic (HTTPS) is supported by all web servers and browsers. HTTP traffic is also applicable to service-oriented architectures such as Representational State Transfer (REST)- and Simple Object Access Protocol (SOAP)-based architectures. 

SSL/TSL handshakes use certificates to exchange a public key using asymmetric encryption, and then use the public key to exchange a private key using symmetric encryption. A security certificate is issued by an acceptable Certification Authority (CA) such as Verisign. Procured security certificates need to be secured using a Public Key Infrastructure (PKI). The public cloud, such as AWS, provides an AWS Certificate Manager (ACM) managed

Non-web transmission of data over the network should also be encrypted, and this includes Secure Shell (SSH) and Internet Protocol Security (IPsec) encryption. SSH is most prevalent while connecting to servers, and IPsec is applicable to securing corporate traffic transferred over a virtual private network (VPN). File transfer should be secured using SSH File Transfer Protocol (SFTPS) or FTP Secure (FTPS), and email server communication needs to be secured by Simple Mail Transfer Protocol Secure (SMTPS) or Internet Message Access Protocol (IAMPS).

In this section, you learned about various methods to secure data at rest and in motion with different cryptographic techniques. Data backup and recovery is an important aspect of protecting your data in the case of any unforeseen incidents. You will learn more about data backup in Chapter 9, Architectural Reliability Considerations, in the Disaster recovery planning section.

There are many governing bodies available that publish compliance, which is a set of checklists to ensure customers' data security. Compliance also makes sure that organizations comply with industry and local government rules. Let's learn more about various compliance measures in the next section.